IoT gateways are critical pieces of enterprise infrastructure that facilitate secure communication between IoT edge devices and the cloud. As IoT gateways serve as single points of control for all edge devices, they can make an attractive target for attackers, and protecting them is paramount.

RSA Project Iris provides security monitoring and visibility at the IoT edge. This post walks through several examples of how Project Iris can monitor IoT gateways, using the open source EdgeX Foundry platform as a motivating example.

EdgeX Foundry with Project Iris

The EdgeX Foundry platform for IoT gateways consists of many microservices that are deployed as Docker containers. Almost all of these microservices expose web APIs, some for internal consumption within the gateway and others for external use. MongoDb is used for storing data, such as IoT device metadata, logs, and sensor readings from connected IoT edge devices.

Setting up Project Iris on an EdgeX Foundry gateway involves simply deploying the Project Iris Docker container on the gateway. The Project Iris container passively collects data about local EdgeX microservices and securely sends the data to the Project Iris cloud service. The Project Iris cloud service analyzes the data and uses anomaly detection techniques and threat intelligence to identify suspicious activities and raise security alerts.

Threat Detection in Action

So what can Project Iris do? Below are examples of interesting security events that Project Iris can detect.

Initial Infection and Command and Control

A compromised host or microservice container will often execute a malicious payload and initiate suspicious network connections to risky sites, from which further payloads may be downloaded or "command and control" instructions are received to execute.

Project Iris can show when these suspicious payloads are executed or suspicious network connections are made. Below are example alerts for a compromised edgex-device-bacnet service, which is responsible for managing communications to IoT devices that support the BACnet protocol. The first alert shows an anomalous Python process that runs code to connect to an external site, download a payload, and execute it. The second alert is raised for the network connection being made to a known high risk IP address based in Germany.

Lateral Movement

Malicious payloads may probe the network for other endpoints to compromise. This is especially of concern for IoT gateways, which sit on many local edge networks and have privileged access to edge devices.

Project Iris can detect when a microservice container initiates these suspicious probes. The example alerts below show the compromised edgex-support-logging container probing another IoT device, a KMC thermostat, and also trying to connect to another microservice, edgex-device-snmp, on the same host. An alert is also raised for the execution of the ping command used for probing. Project Iris understands that these activities are not typical for the edgex-support-logging microservice and flags them.

Data Exfiltration

Data exfiltration is often the end goal of a compromise. IoT gateways often contain a wealth of sensitive information about edge devices including raw device data, device metadata, and credentials and keys for secure access to edge devices. On the EdgeX Foundry platform, this information is housed within MongoDB.

In the current pre-release version of EdgeX Foundry, MongoDB is set up with remote access enabled and well known default usernames and passwords. As an example of data exfiltration, we can dump the contents of the MongoDB database remotely using the mongodump tool:

This type of activity would cause Project Iris to raise several type of alerts, as shown below. The first alert is raised for a remote network connection to MongoDB. This connection was flagged as unusual because the database is normally only meant for local use on the gateway itself. The second alert is triggered because of an unusually large data transfer out of MongoDb.

Denial of Service

IoT gateways are especially susceptible to denial of service attacks because of the large number of edge devices they manage. Compromised edge devices could launch denial of service attacks at the gateway or through the gateway to other hosts.

As an example, we used a compromised network signal tower device to initiate a large volume of network connections to the gateway. Project Iris can detect this type of activity, as shown in the first alert below:

A denial of service attack can subsequently lead to one or more microservice containers crashing in an unexpected way. Project Iris can also detect this, as shown in the second alert above.

Conclusion

The goal of Project Iris is to bring security monitoring and threat detection capabilities to the IoT edge. In this post we walked through how Project Iris can be used to secure IoT gateways, which are critical enterprise assets responsible for managing edge devices. In a subsequent post, we'll talk about what Project Iris can do to bring similar visibility down to the edge devices themselves.

If you're interested in trying out Project Iris, register here and the RSA Labs team will notify you when it's available.